Thursday, May 17, 2012

CISSP CPE6: Threat Review: Deconstructing Modern Trojans

Prevalence port/protocol evasion in malware as compare to
non-malicious

Common tricks of evasive traffic:

1. use existing protocol in unexpected way (example IRC
in port 80)

2. use standard protocol over non-standard ports to avoid
signature

Example, DNS tunneling:

tcp-over-dns

Dns2tcp

Iodine

Heyoka

ozymanDNS

NSTX

Take advantage of recursive query to pass encapsulate TPC
message to a remote DNS server and send responses back.

App-ID address the Evasion Problem.

WildFirew analysis center, sand box-based analysis looks
over samples

- detect new and unknown malware samples

- Use appip to analyze traffic generated by malware

- focus on evasive traffic behavior an unusual traffic
that could not be detected by APP-ID

16,497 newly discovered malware samples - in April 2012:

66% traffic were undetected by traditional AV vendor

80% traffic generated to Internet

59% 7,918 generated evasive traffic

Common evasive behavior:

sort http headers

Unknown traffic

ddyn, fastflux domain

Fake http

Non standard http

IRC on regular port

IRC on non standard port

(surprisingly little use of IRC - it's becoming obsolete
for malware)

Unknown traffic is
significantly high rate in malware as oppose to valid network traffic

11% of malware session presented as unknown

0.6% of legitimate traffic present as unknown

Enterprise can progressive reduce the amount of unknown
traffic:

Custom APP-IDs

I raised questions:

You mentioned that 66% of malware traffic is not detected
by major AV software, how did you test it?

Did you involve AV company to test it?

There is a common mistake of AV testing simply using
using the AV CLI functionality, such using VirusTotal, whereas AV have has
multiple layers of protection that might not detect via CLI functionality.

The common mistake of AV testing is simply using the CLI engine
without, whereas AV has many layers of protection that cannot be access via
CLI.